An Early Kiwi Christmas Present From Brussels

Want to transfer your personal data to New Zealand?  Now you can!

What Has Happened?

The European Commission has formally recognised the adequacy of data protection laws in New Zealand (i.e. it has confirmed that data protection laws in New Zealand provide at least the same degree of protection as those enjoyed by data subjects in the UK/rest of the EEA).

Why Does It Matter?

The 8th Principle of the DPA requires data controllers to satisfy additional requirements where personal data is being transferred outside the EEA (the EU member states plus Iceland, Liechtenstein and Norway). 

There is an exception to the requirements of the 8th Principle where the destination country has received a finding of 'adequacy' from the EU Commission. 

So, going forwards, data controllers in the UK/EEA can arrange for personal data to be processed in New Zealand without any further requirements to comply with the 8th Principle but this doesn't mean that data controllers can simply stop worrying about the DPA where data is being processed in New Zealand - all of the remaining requirements of the DPA will continue to apply where data is processed in New Zealand (and in particular, the 7th Principle's requirements in relation to security when data is being processed by a third party).

Do Any Other Countries Have 'Adequate' Data Protection Laws?

New Zealand is added to the existing list of countries whose data protection laws have been found to be adequate by the EU Commission i.e. Andorra, Argentina, Australia, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey and Uruguay (and the United States’ where the Safe Harbor scheme is adhered to by the receiving party). 

In relation to the US, we've previously commented on some of the shortcomings of the Safe Harbor scheme and these should be borne in mind even where you are dealing with a data processor in the US who adheres to the US' Safe Harbor scheme.

Are There Any Other Ways to Transfer Personal Data Outside The EEA?

Yes, there are - we'll be providing a breakdown of each of the DPA's data protection principles and we'll cover how personal data can be transferred in practice and in compliance with the 8th Principle.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.